Cyber attacks have occurred on computers that belonged to South Carolina's Department of Revenue. A very sophisticated hacker was able to get inside one of the state government's databases which included vast amounts of personal information. The approximate totals include 3.6 million Social Security numbers as well as 387,000 credit/debit card numbers that the hacker may have been able to obtain. It was reported that investigators had been looking into these security breaches since August. The reason the police waited this long to notify the public of the attacks was supposedly an investigative strategy aimed at better protecting the information that may have been breached.
Government officials have urged any taxpayers who had filed a return since 1998 to check if any of their private information had been affected. Taxpayers were also given a toll-free number with which they could call and obtain a full year of credit and identify theft protections from Experian that the state would pay for using state funds.
Analysis:
With regards to the credit card information, it seems logical to question if Payment Card Industry Data Security Standards were followed. Just as merchants who accept credit card information are required to comply with PCI DSS, the state should apply the same principles and objectives when taxpayers are providing this information for taxes that are due or are to be refunded. The article does not mention that such standards were followed so analysis of PCI DSS is imperative for the state.
Also, the chief of the state's Law Enforcement Division tried to justify why the attacks were not made public right away; however, it may have prevented further damage had it been made public immediately. Although the exact extent of damages is not yet known, if taxpayers were aware that attacks were occurring in August, they could have taken the proper steps to protect whatever information they made available to the state. Instead, the lag could have given the hackers more time to obtain gargantuan amounts of personal information.
The article also mentioned that 16,000 of the credit card numbers were not encrypted. Even more alarming was that none of the Social Security numbers were encrypted. The governor noted that the industry standard was that most of these numbers are not encrypted even though the U.S. Social Security Administration encourages doing so. Encryption of these numbers may not have necessarily prevented the hacker(s) from obtaining this information, but it definitely could have slowed them down and allowed investigators to more quickly find the culprits and alert the public.
Executive Summary:
Cyber attacks have occurred on computers that belonged to South Carolina's Department of Revenue. A very sophisticated hacker was able to get inside one of the state government's databases which included vast amounts of personal information. The approximate totals include 3.6 million Social Security numbers as well as 387,000 credit/debit card numbers that the hacker may have been able to obtain. It was reported that investigators had been looking into these security breaches since August. The reason the police waited this long to notify the public of the attacks was supposedly an investigative strategy aimed at better protecting the information that may have been breached.
Government officials have urged any taxpayers who had filed a return since 1998 to check if any of their private information had been affected. Taxpayers were also given a toll-free number with which they could call and obtain a full year of credit and identify theft protections from Experian that the state would pay for using state funds.
Analysis:
With regards to the credit card information, it seems logical to question if Payment Card Industry Data Security Standards were followed. Just as merchants who accept credit card information are required to comply with PCI DSS, the state should apply the same principles and objectives when taxpayers are providing this information for taxes that are due or are to be refunded. The article does not mention that such standards were followed so analysis of PCI DSS is imperative for the state.
Also, the chief of the state's Law Enforcement Division tried to justify why the attacks were not made public right away; however, it may have prevented further damage had it been made public immediately. Although the exact extent of damages is not yet known, if taxpayers were aware that attacks were occurring in August, they could have taken the proper steps to protect whatever information they made available to the state. Instead, the lag could have given the hackers more time to obtain gargantuan amounts of personal information.
The article also mentioned that 16,000 of the credit card numbers were not encrypted. Even more alarming was that none of the Social Security numbers were encrypted. The governor noted that the industry standard was that most of these numbers are not encrypted even though the U.S. Social Security Administration encourages doing so. Encryption of these numbers may not have necessarily prevented the hacker(s) from obtaining this information, but it definitely could have slowed them down and allowed investigators to more quickly find the culprits and alert the public.